News - Confiant

Malvertising activity in November

Written by The Confiant Security Team | Dec 10, 2020 5:00:00 AM

This blog post series recaps some of the large attacks Confiant observed and prevented during November, identifying the threat groups involved, and some of the tactics currently in use.

Forced Redirects

Yosec continues targeting the US


Yosec ran a large attack in early November via a Tier-1 DSP. As is typical for this group, they targeted desktop computers in the US, serving scareware and fake Flash forced redirects. Aside from this spike, Yosec has maintained continuous presence with another Tier-1 DSP at a low volume.

Confiant's security team identified a browser security bypass exploited by Yosec that has been privately reported to impacted browser vendors for resolution.

eGobbler hits the US, Great Britain, France, and Italy

eGobbler was active on Sunday, November 29 via Tier 2 DSP, targeting desktop computers in the US, Great Britain, France and Italy. They ran for a full 24 hours before getting shut down.

Background: eGobbler is a group based out of China that delivers a variety of attacks (drive-by downloads, carrier branded scams) using forced redirects. eGobbler has specialized in weekend activity, typically staging attacks weeks in advance and activating them at full scale on a Saturday or Sunday morning, preferably on holidays.

Nephos7 prevented from running their attacks

Since its debut in Q4 of 2019, Nephos7 has closely mimicked eGobbler's tactics, relying on early morning high scale weekend attacks to execute forced redirects. Just like in previous months, Nephos7 continued to stage campaigns across a variety of DSPs, only to be thwarted before they could run their attacks.

Criminal scams and other Cloaking

FizzCore appears in Germany and Great Britain

Early November, FizzCore made an appearance on a Tier 1 DSP, focusing on Germany and Great Britain.

FizzCore is the original group that popularized click-bait bitcoin scam ads, leveraging celebrity imagery. Having been extremely active in the first half of the year, they were much quieter in Q3. Confiant has recently attributed multiple Bitcoin scam campaigns to FizzCore, confirming that FizzCore is still a threat to consider seriously.

In the meantime, 2020 has seen a whole ecosystem of FizzCore copycats emerge, opening an entirely new vector for profitable malvertising at scale.

Questions around the attacks?

Through our broad visibility on the ad tech ecosystem and leveraging our detection and blocking technology, we are able to directly tie attacks back to threat groups we've been indexing and tracking since 2013. If you have any questions on the attacks for this month or would like to know more about malvertising and how we can help, don't hesitate to reach out to support@confiant.com.